phase 2: ipam filter secondary service cidr

Author: khenidak

api/api-rules/violation_exceptions.list

@@ -636,6 +636,7 @@ API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,K
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NamespaceControllerConfiguration,ConcurrentNamespaceSyncs
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NamespaceControllerConfiguration,NamespaceSyncPeriod
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NodeIPAMControllerConfiguration,NodeCIDRMaskSize
+API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NodeIPAMControllerConfiguration,SecondaryServiceCIDR
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NodeIPAMControllerConfiguration,ServiceCIDR
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NodeLifecycleControllerConfiguration,EnableTaintManager
 API rule violation: names_match,k8s.io/kube-controller-manager/config/v1alpha1,NodeLifecycleControllerConfiguration,LargeClusterSizeThreshold

cmd/kube-controller-manager/app/core.go

@@ -83,6 +83,7 @@ func startServiceController(ctx ControllerContext) (http.Handler, bool, error) {
 }
 func startNodeIpamController(ctx ControllerContext) (http.Handler, bool, error) {
 	var serviceCIDR *net.IPNet
+	var secondaryServiceCIDR *net.IPNet
 
 	// should we start nodeIPAM
 	if !ctx.ComponentConfig.KubeCloudShared.AllocateNodeCIDRs {
@@ -118,12 +119,37 @@ func startNodeIpamController(ctx ControllerContext) (http.Handler, bool, error)
 		}
 	}
 
+	if len(strings.TrimSpace(ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR)) != 0 {
+		_, secondaryServiceCIDR, err = net.ParseCIDR(ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR)
+		if err != nil {
+			klog.Warningf("Unsuccessful parsing of service CIDR %v: %v", ctx.ComponentConfig.NodeIPAMController.SecondaryServiceCIDR, err)
+		}
+	}
+
+	// the following checks are triggered if both serviceCIDR and secondaryServiceCIDR are provided
+	if serviceCIDR != nil && secondaryServiceCIDR != nil {
+		// should have dual stack flag enabled
+		if !utilfeature.DefaultFeatureGate.Enabled(kubefeatures.IPv6DualStack) {
+			return nil, false, fmt.Errorf("secondary service cidr is provided and IPv6DualStack feature is not enabled")
+		}
+
+		// should be dual stack (from different IPFamilies)
+		dualstackServiceCIDR, err := netutils.IsDualStackCIDRs([]*net.IPNet{serviceCIDR, secondaryServiceCIDR})
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to perform dualstack check on serviceCIDR and secondaryServiceCIDR error:%v", err)
+		}
+		if !dualstackServiceCIDR {
+			return nil, false, fmt.Errorf("serviceCIDR and secondaryServiceCIDR are not dualstack (from different IPfamiles)")
+		}
+	}
+
 	nodeIpamController, err := nodeipamcontroller.NewNodeIpamController(
 		ctx.InformerFactory.Core().V1().Nodes(),
 		ctx.Cloud,
 		ctx.ClientBuilder.ClientOrDie("node-controller"),
 		clusterCIDRs,
 		serviceCIDR,
+		secondaryServiceCIDR,
 		int(ctx.ComponentConfig.NodeIPAMController.NodeCIDRMaskSize),
 		ipam.CIDRAllocatorType(ctx.ComponentConfig.KubeCloudShared.CIDRAllocatorType),
 	)

cmd/kube-controller-manager/app/options/nodeipamcontroller.go

@@ -17,6 +17,9 @@ limitations under the License.
 package options
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/spf13/pflag"
 
 	nodeipamconfig "k8s.io/kubernetes/pkg/controller/nodeipam/config"
@@ -32,7 +35,6 @@ func (o *NodeIPAMControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	if o == nil {
 		return
 	}
-
 	fs.StringVar(&o.ServiceCIDR, "service-cluster-ip-range", o.ServiceCIDR, "CIDR Range for Services in cluster. Requires --allocate-node-cidrs to be true")
 	fs.Int32Var(&o.NodeCIDRMaskSize, "node-cidr-mask-size", o.NodeCIDRMaskSize, "Mask size for node cidr in cluster.")
 }
@@ -43,7 +45,15 @@ func (o *NodeIPAMControllerOptions) ApplyTo(cfg *nodeipamconfig.NodeIPAMControll
 		return nil
 	}
 
-	cfg.ServiceCIDR = o.ServiceCIDR
+	// split the cidrs list and assign primary and secondary
+	serviceCIDRList := strings.Split(o.ServiceCIDR, ",")
+	if len(serviceCIDRList) > 0 {
+		cfg.ServiceCIDR = serviceCIDRList[0]
+	}
+	if len(serviceCIDRList) > 1 {
+		cfg.SecondaryServiceCIDR = serviceCIDRList[1]
+	}
+
 	cfg.NodeCIDRMaskSize = o.NodeCIDRMaskSize
 
 	return nil
@@ -54,7 +64,12 @@ func (o *NodeIPAMControllerOptions) Validate() []error {
 	if o == nil {
 		return nil
 	}
+	errs := make([]error, 0)
+
+	serviceCIDRList := strings.Split(o.ServiceCIDR, ",")
+	if len(serviceCIDRList) > 2 {
+		errs = append(errs, fmt.Errorf("--service-cluster-ip-range can not contain more than two entries"))
+	}
 
-	errs := []error{}
 	return errs
 }

pkg/controller/nodeipam/config/types.go

@@ -20,6 +20,8 @@ package config
 type NodeIPAMControllerConfiguration struct {
 	// serviceCIDR is CIDR Range for Services in cluster.
 	ServiceCIDR string
+	// secondaryServiceCIDR is CIDR Range for Services in cluster. This is used in dual stack clusters. SecondaryServiceCIDR must be of different IP family than ServiceCIDR
+	SecondaryServiceCIDR string
 	// NodeCIDRMaskSize is the mask size for node cidr in cluster.
 	NodeCIDRMaskSize int32
 }

pkg/controller/nodeipam/ipam/cidr_allocator.go

@@ -89,15 +89,15 @@ type CIDRAllocator interface {
 }
 
 // New creates a new CIDR range allocator.
-func New(kubeClient clientset.Interface, cloud cloudprovider.Interface, nodeInformer informers.NodeInformer, allocatorType CIDRAllocatorType, clusterCIDRs []*net.IPNet, serviceCIDR *net.IPNet, nodeCIDRMaskSize int) (CIDRAllocator, error) {
+func New(kubeClient clientset.Interface, cloud cloudprovider.Interface, nodeInformer informers.NodeInformer, allocatorType CIDRAllocatorType, clusterCIDRs []*net.IPNet, serviceCIDR *net.IPNet, secondaryServiceCIDR *net.IPNet, nodeCIDRMaskSize int) (CIDRAllocator, error) {
 	nodeList, err := listNodes(kubeClient)
 	if err != nil {
 		return nil, err
 	}
 
 	switch allocatorType {
 	case RangeAllocatorType:
-		return NewCIDRRangeAllocator(kubeClient, nodeInformer, clusterCIDRs, serviceCIDR, nodeCIDRMaskSize, nodeList)
+		return NewCIDRRangeAllocator(kubeClient, nodeInformer, clusterCIDRs, serviceCIDR, secondaryServiceCIDR, nodeCIDRMaskSize, nodeList)
 	case CloudAllocatorType:
 		return NewCloudCIDRAllocator(kubeClient, cloud, nodeInformer)
 	default:

pkg/controller/nodeipam/ipam/range_allocator.go

@@ -71,7 +71,7 @@ type rangeAllocator struct {
 // Caller must always pass in a list of existing nodes so the new allocator.
 // Caller must ensure that ClusterCIDRs are semantically correct e.g (1 for non DualStack, 2 for DualStack etc..)
 // can initialize its CIDR map. NodeList is only nil in testing.
-func NewCIDRRangeAllocator(client clientset.Interface, nodeInformer informers.NodeInformer, clusterCIDRs []*net.IPNet, serviceCIDR *net.IPNet, subNetMaskSize int, nodeList *v1.NodeList) (CIDRAllocator, error) {
+func NewCIDRRangeAllocator(client clientset.Interface, nodeInformer informers.NodeInformer, clusterCIDRs []*net.IPNet, serviceCIDR *net.IPNet, secondaryServiceCIDR *net.IPNet, subNetMaskSize int, nodeList *v1.NodeList) (CIDRAllocator, error) {
 	if client == nil {
 		klog.Fatalf("kubeClient is nil when starting NodeController")
 	}
@@ -110,6 +110,12 @@ func NewCIDRRangeAllocator(client clientset.Interface, nodeInformer informers.No
 		klog.V(0).Info("No Service CIDR provided. Skipping filtering out service addresses.")
 	}
 
+	if secondaryServiceCIDR != nil {
+		ra.filterOutServiceRange(secondaryServiceCIDR)
+	} else {
+		klog.V(0).Info("No Secondary Service CIDR provided. Skipping filtering out secondary service addresses.")
+	}
+
 	if nodeList != nil {
 		for _, node := range nodeList.Items {
 			if len(node.Spec.PodCIDRs) == 0 {
@@ -295,6 +301,7 @@ func (r *rangeAllocator) filterOutServiceRange(serviceCIDR *net.IPNet) {
 	// serviceCIDR) or vice versa (which means that serviceCIDR contains
 	// clusterCIDR).
 	for idx, cidr := range r.clusterCIDRs {
+		// if they don't overlap then ignore the filtering
 		if !cidr.Contains(serviceCIDR.IP.Mask(cidr.Mask)) && !serviceCIDR.Contains(cidr.IP.Mask(serviceCIDR.Mask)) {
 			continue
 		}

pkg/controller/nodeipam/ipam/range_allocator_test.go

@@ -60,11 +60,12 @@ func getFakeNodeInformer(fakeNodeHandler *testutil.FakeNodeHandler) coreinformer
 }
 
 type testCase struct {
-	description     string
-	fakeNodeHandler *testutil.FakeNodeHandler
-	clusterCIDRs    []*net.IPNet
-	serviceCIDR     *net.IPNet
-	subNetMaskSize  int
+	description          string
+	fakeNodeHandler      *testutil.FakeNodeHandler
+	clusterCIDRs         []*net.IPNet
+	serviceCIDR          *net.IPNet
+	secondaryServiceCIDR *net.IPNet
+	subNetMaskSize       int
 	// key is index of the cidr allocated
 	expectedAllocatedCIDR map[int]string
 	allocatedCIDRs        map[int][]string
@@ -89,8 +90,9 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, clusterCIDR, _ := net.ParseCIDR("127.123.234.0/24")
 				return []*net.IPNet{clusterCIDR}
 			}(),
-			serviceCIDR:    nil,
-			subNetMaskSize: 30,
+			serviceCIDR:          nil,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			expectedAllocatedCIDR: map[int]string{
 				0: "127.123.234.0/30",
 			},
@@ -115,7 +117,8 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, serviceCIDR, _ := net.ParseCIDR("127.123.234.0/26")
 				return serviceCIDR
 			}(),
-			subNetMaskSize: 30,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			// it should return first /30 CIDR after service range
 			expectedAllocatedCIDR: map[int]string{
 				0: "127.123.234.64/30",
@@ -141,7 +144,8 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, serviceCIDR, _ := net.ParseCIDR("127.123.234.0/26")
 				return serviceCIDR
 			}(),
-			subNetMaskSize: 30,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			allocatedCIDRs: map[int][]string{
 				0: {"127.123.234.64/30", "127.123.234.68/30", "127.123.234.72/30", "127.123.234.80/30"},
 			},
@@ -170,6 +174,7 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, serviceCIDR, _ := net.ParseCIDR("127.123.234.0/26")
 				return serviceCIDR
 			}(),
+			secondaryServiceCIDR: nil,
 		},
 		{
 			description: "Dualstack CIDRs v6,v4",
@@ -192,6 +197,7 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, serviceCIDR, _ := net.ParseCIDR("127.123.234.0/26")
 				return serviceCIDR
 			}(),
+			secondaryServiceCIDR: nil,
 		},
 
 		{
@@ -216,13 +222,14 @@ func TestAllocateOrOccupyCIDRSuccess(t *testing.T) {
 				_, serviceCIDR, _ := net.ParseCIDR("127.123.234.0/26")
 				return serviceCIDR
 			}(),
+			secondaryServiceCIDR: nil,
 		},
 	}
 
 	// test function
 	testFunc := func(tc testCase) {
 		// Initialize the range allocator.
-		allocator, err := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.subNetMaskSize, nil)
+		allocator, err := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.secondaryServiceCIDR, tc.subNetMaskSize, nil)
 		if err != nil {
 			t.Errorf("%v: failed to create CIDRRangeAllocator with error %v", tc.description, err)
 			return
@@ -298,8 +305,9 @@ func TestAllocateOrOccupyCIDRFailure(t *testing.T) {
 				_, clusterCIDR, _ := net.ParseCIDR("127.123.234.0/28")
 				return []*net.IPNet{clusterCIDR}
 			}(),
-			serviceCIDR:    nil,
-			subNetMaskSize: 30,
+			serviceCIDR:          nil,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			allocatedCIDRs: map[int][]string{
 				0: {"127.123.234.0/30", "127.123.234.4/30", "127.123.234.8/30", "127.123.234.12/30"},
 			},
@@ -308,7 +316,7 @@ func TestAllocateOrOccupyCIDRFailure(t *testing.T) {
 
 	testFunc := func(tc testCase) {
 		// Initialize the range allocator.
-		allocator, err := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.subNetMaskSize, nil)
+		allocator, err := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.secondaryServiceCIDR, tc.subNetMaskSize, nil)
 		if err != nil {
 			t.Logf("%v: failed to create CIDRRangeAllocator with error %v", tc.description, err)
 		}
@@ -369,6 +377,7 @@ type releaseTestCase struct {
 	fakeNodeHandler                  *testutil.FakeNodeHandler
 	clusterCIDRs                     []*net.IPNet
 	serviceCIDR                      *net.IPNet
+	secondaryServiceCIDR             *net.IPNet
 	subNetMaskSize                   int
 	expectedAllocatedCIDRFirstRound  map[int]string
 	expectedAllocatedCIDRSecondRound map[int]string
@@ -394,8 +403,9 @@ func TestReleaseCIDRSuccess(t *testing.T) {
 				_, clusterCIDR, _ := net.ParseCIDR("127.123.234.0/28")
 				return []*net.IPNet{clusterCIDR}
 			}(),
-			serviceCIDR:    nil,
-			subNetMaskSize: 30,
+			serviceCIDR:          nil,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			allocatedCIDRs: map[int][]string{
 				0: {"127.123.234.0/30", "127.123.234.4/30", "127.123.234.8/30", "127.123.234.12/30"},
 			},
@@ -423,8 +433,9 @@ func TestReleaseCIDRSuccess(t *testing.T) {
 				_, clusterCIDR, _ := net.ParseCIDR("127.123.234.0/28")
 				return []*net.IPNet{clusterCIDR}
 			}(),
-			serviceCIDR:    nil,
-			subNetMaskSize: 30,
+			serviceCIDR:          nil,
+			secondaryServiceCIDR: nil,
+			subNetMaskSize:       30,
 			allocatedCIDRs: map[int][]string{
 				0: {"127.123.234.4/30", "127.123.234.8/30", "127.123.234.12/30"},
 			},
@@ -442,7 +453,7 @@ func TestReleaseCIDRSuccess(t *testing.T) {
 
 	testFunc := func(tc releaseTestCase) {
 		// Initialize the range allocator.
-		allocator, _ := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.subNetMaskSize, nil)
+		allocator, _ := NewCIDRRangeAllocator(tc.fakeNodeHandler, getFakeNodeInformer(tc.fakeNodeHandler), tc.clusterCIDRs, tc.serviceCIDR, tc.secondaryServiceCIDR, tc.subNetMaskSize, nil)
 		rangeAllocator, ok := allocator.(*rangeAllocator)
 		if !ok {
 			t.Logf("%v: found non-default implementation of CIDRAllocator, skipping white-box test...", tc.description)

pkg/controller/nodeipam/node_ipam_controller.go

@@ -53,10 +53,11 @@ const (
 type Controller struct {
 	allocatorType ipam.CIDRAllocatorType
 
-	cloud        cloudprovider.Interface
-	clusterCIDRs []*net.IPNet
-	serviceCIDR  *net.IPNet
-	kubeClient   clientset.Interface
+	cloud                cloudprovider.Interface
+	clusterCIDRs         []*net.IPNet
+	serviceCIDR          *net.IPNet
+	secondaryServiceCIDR *net.IPNet
+	kubeClient           clientset.Interface
 	// Method for easy mocking in unittest.
 	lookupIP func(host string) ([]net.IP, error)
 
@@ -79,6 +80,7 @@ func NewNodeIpamController(
 	kubeClient clientset.Interface,
 	clusterCIDRs []*net.IPNet,
 	serviceCIDR *net.IPNet,
+	secondaryServiceCIDR *net.IPNet,
 	nodeCIDRMaskSize int,
 	allocatorType ipam.CIDRAllocatorType) (*Controller, error) {
 
@@ -119,20 +121,21 @@ func NewNodeIpamController(
 	}
 
 	ic := &Controller{
-		cloud:         cloud,
-		kubeClient:    kubeClient,
-		lookupIP:      net.LookupIP,
-		clusterCIDRs:  clusterCIDRs,
-		serviceCIDR:   serviceCIDR,
-		allocatorType: allocatorType,
+		cloud:                cloud,
+		kubeClient:           kubeClient,
+		lookupIP:             net.LookupIP,
+		clusterCIDRs:         clusterCIDRs,
+		serviceCIDR:          serviceCIDR,
+		secondaryServiceCIDR: secondaryServiceCIDR,
+		allocatorType:        allocatorType,
 	}
 
 	// TODO: Abstract this check into a generic controller manager should run method.
 	if ic.allocatorType == ipam.IPAMFromClusterAllocatorType || ic.allocatorType == ipam.IPAMFromCloudAllocatorType {
 		startLegacyIPAM(ic, nodeInformer, cloud, kubeClient, clusterCIDRs, serviceCIDR, nodeCIDRMaskSize)
 	} else {
 		var err error
-		ic.cidrAllocator, err = ipam.New(kubeClient, cloud, nodeInformer, ic.allocatorType, clusterCIDRs, ic.serviceCIDR, nodeCIDRMaskSize)
+		ic.cidrAllocator, err = ipam.New(kubeClient, cloud, nodeInformer, ic.allocatorType, clusterCIDRs, ic.serviceCIDR, ic.secondaryServiceCIDR, nodeCIDRMaskSize)
 		if err != nil {
 			return nil, err
 		}